The AWS Certified Solutions Architect - Professional (SAP-C02) is widely regarded as one of the most difficult cloud certifications available. It does not merely extend the Associate exam — it demands a fundamentally different level of reasoning. Questions are long, scenarios are complex, and every answer choice is plausible. The exam tests your ability to weigh trade-offs across cost, resilience, security, and operational complexity simultaneously.
Passing SAP-C02 requires that you have internalized Associate-level knowledge so thoroughly that it requires no active recall. You build on top of it.
Exam Overview
The SAP-C02 exam contains 75 questions (65 scored, 10 unscored) with a 180-minute time limit. The passing score is 750 out of 1000. Questions are multiple choice and multiple response.
Domain Weights
| Domain | Weight |
|---|---|
| Domain 1: Design Solutions for Organizational Complexity | 26% |
| Domain 2: Design for New Solutions | 29% |
| Domain 3: Continuous Improvement for Existing Solutions | 25% |
| Domain 4: Accelerate Workload Migration and Modernization | 20% |
Domain 1: Design Solutions for Organizational Complexity (26%)
This domain is unique to the Professional exam. It tests multi-account architecture, delegation of control, and managing AWS at enterprise scale.
AWS Organizations
Organizations is the foundation of multi-account strategy. Key concepts:
- Management account: Root account that creates and manages the organization; should have minimal workloads
- Organization units (OUs): Hierarchical groupings of accounts; policies applied to an OU affect all member accounts
- Service Control Policies (SCPs): Allow or deny actions across member accounts; override even account-level admin permissions. SCPs are not grants — they define the maximum permissions boundary
- AWS Control Tower: Automates multi-account setup using a landing zone with guardrails
SCP evaluation logic:
An action is allowed only if it is not denied by any SCP in the hierarchy AND the IAM policy in the account allows it. If an SCP denies an action, no IAM policy can override it.
Cross-Account Patterns
Resource sharing with AWS RAM (Resource Access Manager):
- Share VPCs (subnets), Transit Gateways, Route 53 Resolver rules, and other resources
- Avoids duplicating infrastructure across accounts
- Shared subnets allow workloads in different accounts to communicate without VPC peering
Cross-account role assumption pattern:
The standard pattern for cross-account access:
- Create a role in the target account with a trust policy allowing the source account to assume it
- Attach permissions to that role for the required actions
- Use
sts:AssumeRolefrom the source account
Amazon Macie: Automatically discovers and classifies sensitive data (PII, financial records) in S3. Used in multi-account scenarios to centralize data security governance.
Domain 2: Design for New Solutions (29%)
This is the heaviest domain and tests complex architecture design across compute, storage, databases, networking, and hybrid connectivity.
Advanced Networking Architectures
Transit Gateway: A hub for connecting multiple VPCs and on-premises networks. Replaces the complexity of full-mesh VPC peering.
| Feature | VPC Peering | Transit Gateway |
|---|---|---|
| Max connections | N*(N-1)/2 full mesh | Hub and spoke; scales linearly |
| Transitive routing | Not supported | Supported |
| Cross-account | Supported | Supported |
| Cross-region | Supported (via inter-region peering) | Supported (via inter-region peering) |
| Cost | Free (only data transfer costs) | Per attachment plus data processing |
AWS Direct Connect with VPN backup:
The resilient hybrid connectivity pattern uses Direct Connect for primary traffic and a Site-to-Site VPN as backup. For maximum resilience, use two Direct Connect connections in different locations plus VPN.
Direct Connect Gateway: Enables a single Direct Connect connection to access VPCs in multiple regions.
Multi-Region Active/Active Architecture
For global applications requiring sub-100ms latency and maximum availability:
- Use Amazon Route 53 geolocation or latency routing to direct users to the nearest region
- Use Amazon Aurora Global Database for low-latency reads with cross-region replication (secondary regions have read-only access; failover promotes a secondary to primary)
- Use DynamoDB Global Tables for multi-region, multi-master NoSQL tables
- Use S3 Cross-Region Replication for object storage replication
- Use CloudFront with multiple origins for content distribution
Event-Driven Architecture at Scale
The SAP exam tests complex event-driven patterns:
Amazon Kinesis Data Streams vs. SQS:
| Aspect | Kinesis Data Streams | SQS |
|---|---|---|
| Consumer model | Multiple consumers, each reads all records | Each message consumed by one consumer |
| Retention | 1-7 days (up to 365 days extended) | Up to 14 days |
| Ordering | Per shard | FIFO queue only |
| Use case | Real-time analytics, log aggregation | Decoupled microservices, work queues |
| Scale | Shard-based; 1 MB/s per shard ingest | Scales automatically |
Kinesis Firehose: Fully managed delivery to S3, Redshift, OpenSearch, or HTTP endpoints. No consumers to manage; just configure the destination.
Containerization Patterns
ECS vs. EKS selection criteria:
Choose ECS when the team has no Kubernetes expertise and wants AWS-native orchestration with less operational overhead. Choose EKS when the organization has existing Kubernetes tooling, expertise, or requires portability.
Fargate vs. EC2 launch type:
Fargate removes the need to manage EC2 instances. Use it for workloads where you want no infrastructure management. EC2 launch type provides access to GPU instances, specific placement groups, and maximizes cost efficiency with Reserved Instances.
Domain 3: Continuous Improvement for Existing Solutions (25%)
This domain tests your ability to analyze an existing architecture and recommend targeted improvements without a full redesign.
Cost Optimization Patterns
S3 Intelligent-Tiering: Automatically moves objects between access tiers based on access patterns. No retrieval fees. Appropriate when access patterns are unpredictable.
Compute Optimizer recommendations:
AWS Compute Optimizer analyzes CloudWatch utilization data and recommends:
- Right-sizing EC2 instances
- Converting to Graviton processor instances (up to 40% better price-performance)
- Adjusting Lambda memory settings
- EBS volume type recommendations
Reserved Instance and Savings Plan coverage analysis:
Use AWS Cost Explorer's Coverage and Utilization reports to identify where RI or Savings Plan coverage is low (purchase more) and where utilization is low (sell unused RIs on the Marketplace or modify).
Improving Database Architectures
Aurora Serverless v2: Automatically scales in fine-grained increments (Aurora Capacity Units). Use for dev/test environments, infrequently accessed applications, or unpredictable workloads. Not appropriate for very write-heavy workloads requiring consistent max throughput.
Read replica promotion strategy: Aurora supports up to 15 read replicas per cluster. You can promote a read replica to a standalone primary for blue/green deployment testing.
DynamoDB hot partition mitigation:
Hot partitions occur when a partition key has disproportionate traffic. Solutions:
- Add a random suffix to the partition key and aggregate at read time (write sharding)
- Use DAX for caching frequently accessed items
- Distribute writes across multiple items using DynamoDB transactions
Domain 4: Accelerate Workload Migration and Modernization (20%)
Migration Strategies: The 7 Rs
The seven migration strategies (expanded from the original 6 Rs):
| Strategy | Description | When to Use |
|---|---|---|
| Retire | Decommission | Application is unused or redundant |
| Retain | Leave in place | Not ready to migrate, or keep on-premises |
| Rehost (lift and shift) | Move as-is to AWS | Fast migration, no optimization |
| Relocate | Move containers to AWS | Existing VMware or container workloads |
| Replatform | Minimal modifications | RDS instead of self-managed MySQL |
| Repurchase | Replace with SaaS | Move to Salesforce, ServiceNow |
| Refactor/Re-architect | Redesign for cloud-native | Monolith to microservices |
AWS Migration Services
- AWS Migration Hub: Central tracking for all migration projects
- AWS Application Discovery Service: Discovers on-premises servers, collects performance data
- AWS Database Migration Service (DMS): Migrates databases with minimal downtime; supports homogeneous and heterogeneous migrations
- AWS Schema Conversion Tool (SCT): Converts database schemas from one engine to another (e.g., Oracle to Aurora PostgreSQL)
- AWS DataSync: Transfers large amounts of data to/from on-premises to AWS storage
- AWS Snow Family: Physical devices for offline data transfer at petabyte scale (Snowcone, Snowball, Snowmobile)
Modernization Patterns
Strangler fig pattern: Incrementally replace a monolith by routing new functionality to microservices. The monolith handles legacy requests while new services handle new features. Over time, the monolith shrinks.
CQRS (Command Query Responsibility Segregation): Separate read and write models. Write operations go to a command service (DynamoDB); read operations go to a query service (ElasticSearch or Redshift). DynamoDB Streams propagates changes to the read store.
"At the Professional level, the exam stops asking 'what does this service do' and starts asking 'given five architectural constraints, what is the least operationally complex solution that meets all of them.' That requires genuinely understanding the trade-offs, not just the features." — Adrian Cantrill, AWS instructor and author of the SAP-C02 course
What to Skip
The SAP-C02 does not require:
- Writing CloudFormation or CDK templates
- Code-level Lambda optimization
- Deep DNS record type knowledge beyond common types
Study Timeline
Recommended: 10-14 weeks for candidates with SAA-C03; more without it.
| Week | Focus |
|---|---|
| 1-2 | AWS Organizations, SCPs, Control Tower, multi-account patterns |
| 3-4 | Advanced networking: Transit Gateway, Direct Connect, hybrid |
| 5-6 | Multi-region architecture, Aurora Global, DynamoDB Global Tables |
| 7-8 | Event-driven patterns, Kinesis, advanced container orchestration |
| 9-10 | Cost optimization, migration strategies, DMS |
| 11-12 | Continuous improvement scenarios, Well-Architected Reviews |
| 13-14 | Practice exams, deep review of wrong answers |
Take at least four full-length practice exams. Each wrong answer should lead you to a specific AWS documentation page. Do not study by rereading notes — study by analyzing why wrong answers are wrong.
See also: AWS Solutions Architect Associate (SAA-C03) Study Guide: Domains, Services, and Scenarios
References
- AWS. "AWS Certified Solutions Architect - Professional Exam Guide (SAP-C02)." https://d1.awsstatic.com/training-and-certification/docs-sa-pro/AWS-Certified-Solutions-Architect-Professional_Exam-Guide.pdf
- AWS. "AWS Well-Architected Framework." https://docs.aws.amazon.com/wellarchitected/latest/framework/welcome.html
- AWS. "Building a Multi-Account AWS Environment." AWS Whitepaper. https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/organizing-your-aws-environment.html
- AWS. "Disaster Recovery of Workloads on AWS." AWS Whitepaper. https://docs.aws.amazon.com/whitepapers/latest/disaster-recovery-workloads-on-aws/disaster-recovery-workloads-on-aws.html
- Cantrill, Adrian. "AWS Certified Solutions Architect Professional." Adrian Cantrill Training, 2023.
- AWS. "AWS Transit Gateway Documentation." https://docs.aws.amazon.com/vpc/latest/tgw/what-is-transit-gateway.html
- AWS. "Amazon Aurora User Guide." https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/CHAP_AuroraOverview.html
- AWS. "Cloud Migrations with AWS." AWS Whitepaper. https://docs.aws.amazon.com/whitepapers/latest/aws-migration-whitepaper/welcome.html
Frequently Asked Questions
How is the SAP-C02 exam different from SAA-C03?
SAP-C02 requires deeper knowledge of multi-account management, enterprise-scale architecture, migration strategies, and complex trade-off analysis. Questions are longer and more nuanced, and every answer option is architecturally plausible. Associate knowledge must be automatic.
What are Service Control Policies (SCPs) and how do they work?
SCPs are applied at the AWS Organizations level and define the maximum permissions available in member accounts. They are not permission grants — they set boundaries. An SCP denial overrides any IAM policy within the account.
When should I use Transit Gateway instead of VPC peering?
Use Transit Gateway when connecting more than a few VPCs, when you need transitive routing between VPCs, or when managing many connections becomes operationally complex. VPC peering is simpler and free (only data transfer costs) for small numbers of VPCs.
What is the strangler fig pattern in AWS migrations?
The strangler fig pattern incrementally replaces a monolithic application by routing new features to microservices while the monolith handles legacy requests. Over time, the monolith is gradually replaced without a risky big-bang migration.
What is the difference between Kinesis Data Streams and SQS?
Kinesis Data Streams supports multiple consumers each reading all records, retains data up to 365 days, and maintains per-shard ordering. SQS delivers each message to one consumer (standard: at-least-once; FIFO: exactly-once). Kinesis suits real-time analytics; SQS suits decoupled work queues.